activerecord 6.1.5 → 6.1.6.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 726b98d501c1bb19481f8961894653a362e7ee0bd9993c35ef25e9ad4d76ccf4
-  data.tar.gz: f479e8a86f16437cf977c04a0bb6f69783281176eeedb955348634114876b6c4
+  metadata.gz: 2093e13defc611f0ec1e62d7efd445bcd1c5b182d8aab24f3dd3625047ce2f9f
+  data.tar.gz: 8d3e9a6daab9d0026cc1826d1caf2f24fee239d05b63cbb0eac866b1daded767
 SHA512:
-  metadata.gz: 917b3e5292fa4e7927994fcab3f6b6c07d9615c8c755e1f4950a55bcf5d9232c53f116ceee41ba63d7f6bdf23bc9b3f0e778edfd102aa6327808374fdb8e1ba0
-  data.tar.gz: e772cf960f0a2c361cd2701b7ac765cefc86336bcf353741dc8dd4c56937db0392ba41b762ca9d26879702fbf74f2ff10197235715b0b7aa3b69e83e2fba1ca8
+  metadata.gz: 3e6be64f1492b2441290abac0af6cde31950acef133ccdd98202b2ab719dc48b0f969eda318b4712c508cde2f29b3a6c381c27c6e7467b4ee25ec97209717d7a
+  data.tar.gz: 924c8bcbbaa608deb02263437e76947737b041b39a86818585e3d087530f0d1e3fdc537fc10d1177fe6cf2413deaf47f655342435312a5d473a4789e7a35631f

data/CHANGELOG.md

@@ -1,15 +1,48 @@
+## Rails 6.1.6.1 (July 12, 2022) ##
+
+*   Change ActiveRecord::Coders::YAMLColumn default to safe_load
+
+    This adds two new configuration options The configuration options are as
+    follows:
+    
+    * `config.active_storage.use_yaml_unsafe_load`
+    
+    When set to true, this configuration option tells Rails to use the old
+    "unsafe" YAML loading strategy, maintaining the existing behavior but leaving
+    the possible escalation vulnerability in place.  Setting this option to true
+    is *not* recommended, but can aid in upgrading.
+    
+    * `config.active_record.yaml_column_permitted_classes`
+    
+    The "safe YAML" loading method does not allow all classes to be deserialized
+    by default.  This option allows you to specify classes deemed "safe" in your
+    application.  For example, if your application uses Symbol and Time in
+    serialized data, you can add Symbol and Time to the allowed list as follows:
+    
+    ```
+    config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
+    ```
+
+    [CVE-2022-32224]
+
+
+## Rails 6.1.5.1 (April 26, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.5 (March 09, 2022) ##
 
 *   Fix `ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate` for Ruby 2.6.
 
-    Ruby 2.6 and 2.7 have slightly different implementations of the `String#@-` method.
-    In Ruby 2.6, the receiver of the `String#@-` method is modified under certain circumstances.
+    Ruby 2.6 and 2.7 have slightly different implementations of the `String#-@` method.
+    In Ruby 2.6, the receiver of the `String#-@` method is modified under certain circumstances.
     This was later identified as a bug (https://bugs.ruby-lang.org/issues/15926) and only
     fixed in Ruby 2.7.
 
     Before the changes in this commit, the
     `ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate` method, which internally
-    calls the `String#@-` method, could also modify an input string argument in Ruby 2.6 --
+    calls the `String#-@` method, could also modify an input string argument in Ruby 2.6 --
     changing a tainted, unfrozen string into a tainted, frozen string.
 
     Fixes #43056

data/lib/active_record/coders/yaml_column.rb

@@ -45,13 +45,15 @@ module ActiveRecord
           raise ArgumentError, "Cannot serialize #{object_class}. Classes passed to `serialize` must have a 0 argument constructor."
         end
 
-        if YAML.respond_to?(:unsafe_load)
-          def yaml_load(payload)
-            YAML.unsafe_load(payload)
-          end
-        else
-          def yaml_load(payload)
-            YAML.load(payload)
+        def yaml_load(payload)
+          if !ActiveRecord::Base.use_yaml_unsafe_load
+            YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
+          else
+            if YAML.respond_to?(:unsafe_load)
+              YAML.unsafe_load(payload)
+            else
+              YAML.load(payload)
+            end
           end
         end
     end

data/lib/active_record/connection_adapters/abstract/schema_definitions.rb

@@ -198,6 +198,10 @@ module ActiveRecord
 
         def index_options(table_name)
           index_options = as_options(index)
+
+          # legacy reference index names are used on versions 6.0 and earlier
+          return index_options if options[:_uses_legacy_reference_index_name]
+
           index_options[:name] ||= polymorphic_index_name(table_name) if polymorphic
           index_options
         end

data/lib/active_record/connection_adapters/schema_cache.rb

@@ -207,8 +207,8 @@ module ActiveRecord
               value.map { |i| deep_deduplicate(i) }
             when String
               if value.tainted?
-                # Ruby 2.6 and 2.7 have slightly different implementations of the String#@- method.
-                # In Ruby 2.6, the receiver of the String#@- method is modified under certain
+                # Ruby 2.6 and 2.7 have slightly different implementations of the String#-@ method.
+                # In Ruby 2.6, the receiver of the String#-@ method is modified under certain
                 # circumstances, and this was later identified as a bug
                 # (https://bugs.ruby-lang.org/issues/15926) and only fixed in Ruby 2.7.
                 value = value.dup

data/lib/active_record/core.rb

@@ -155,6 +155,14 @@ module ActiveRecord
 
       mattr_accessor :legacy_connection_handling, instance_writer: false, default: true
 
+      # Application configurable boolean that instructs the YAML Coder to use
+      # an unsafe load if set to true.
+      mattr_accessor :use_yaml_unsafe_load, instance_writer: false, default: false
+
+      # Application configurable array that provides additional permitted classes
+      # to Psych safe_load in the YAML Coder
+      mattr_accessor :yaml_column_permitted_classes, instance_writer: false, default: []
+
       self.filter_attributes = []
 
       def self.connection_handler

data/lib/active_record/gem_version.rb

@@ -9,8 +9,8 @@ module ActiveRecord
   module VERSION
     MAJOR = 6
     MINOR = 1
-    TINY  = 5
-    PRE   = nil
+    TINY  = 6
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/active_record/migration/compatibility.rb

@@ -22,27 +22,10 @@ module ActiveRecord
           end
         end
 
-        module SQLite3
-          module TableDefinition
-            def references(*args, **options)
-              args.each do |ref_name|
-                ReferenceDefinition.new(ref_name, type: :integer, **options).add_to(self)
-              end
-            end
-            alias :belongs_to :references
-
-            def column(name, type, index: nil, **options)
-              options[:precision] ||= nil
-              super
-            end
-          end
-        end
-
         module TableDefinition
           def references(*args, **options)
-            args.each do |ref_name|
-              ReferenceDefinition.new(ref_name, **options).add_to(self)
-            end
+            options[:_uses_legacy_reference_index_name] = true
+            super
           end
           alias :belongs_to :references
         end
@@ -73,12 +56,11 @@ module ActiveRecord
 
         def add_reference(table_name, ref_name, **options)
           if connection.adapter_name == "SQLite"
-            reference_definition = ReferenceDefinition.new(ref_name, type: :integer, **options)
-          else
-            reference_definition = ReferenceDefinition.new(ref_name, **options)
+            options[:type] = :integer
           end
 
-          reference_definition.add_to(connection.update_table_definition(table_name, self))
+          options[:_uses_legacy_reference_index_name] = true
+          super
         end
         alias :add_belongs_to :add_reference
 
@@ -86,7 +68,6 @@ module ActiveRecord
           def compatible_table_definition(t)
             class << t
               prepend TableDefinition
-              prepend SQLite3::TableDefinition
             end
             t
           end
@@ -148,7 +129,7 @@ module ActiveRecord
             class << t
               prepend TableDefinition
             end
-            t
+            super
           end
 
           def command_recorder

data/lib/active_record/railtie.rb

@@ -279,5 +279,23 @@ To keep using the current cache store, you can turn off cache versioning entirel
         self.signed_id_verifier_secret ||= -> { Rails.application.key_generator.generate_key("active_record/signed_id") }
       end
     end
+
+    initializer "active_record.use_yaml_unsafe_load" do |app|
+      config.after_initialize do
+        unless app.config.active_record.use_yaml_unsafe_load.nil?
+          ActiveRecord::Base.use_yaml_unsafe_load =
+            app.config.active_record.use_yaml_unsafe_load
+        end
+      end
+    end
+
+    initializer "active_record.yaml_column_permitted_classes" do |app|
+      config.after_initialize do
+        unless app.config.active_record.yaml_column_permitted_classes.nil?
+          ActiveRecord::Base.yaml_column_permitted_classes =
+            app.config.active_record.yaml_column_permitted_classes
+        end
+      end
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activerecord
 version: !ruby/object:Gem::Version
-  version: 6.1.5
+  version: 6.1.6.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-03-10 00:00:00.000000000 Z
+date: 2022-07-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.5
+        version: 6.1.6.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.5
+        version: 6.1.6.1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.5
+        version: 6.1.6.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.5
+        version: 6.1.6.1
 description: Databases on Rails. Build a persistent domain model by mapping database
   tables to Ruby classes. Strong conventions for associations, validations, aggregations,
   migrations, and testing come baked-in.
@@ -390,12 +390,12 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v6.1.5/activerecord/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v6.1.5/
+  changelog_uri: https://github.com/rails/rails/blob/v6.1.6.1/activerecord/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v6.1.6.1/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v6.1.5/activerecord
+  source_code_uri: https://github.com/rails/rails/tree/v6.1.6.1/activerecord
   rubygems_mfa_required: 'true'
-post_install_message: 
+post_install_message:
 rdoc_options:
 - "--main"
 - README.rdoc
@@ -412,8 +412,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
-signing_key: 
+rubygems_version: 3.3.3
+signing_key:
 specification_version: 4
 summary: Object-relational mapper framework (part of Rails).
 test_files: []